Cookie policy reflects current cookies; updated when cookies change

Why it matters

GDPR Art. 13 requires that disclosures be accurate and current — a cookie policy listing Hotjar when the application no longer loads Hotjar, or omitting Segment which was added last quarter, means users are making consent decisions based on incorrect information. GDPR Art. 5(1)(a)'s accuracy principle applies to policy disclosures as much as to personal data records. A policy with placeholder text or a stale 'Last updated: 2022' date is a signal regulators treat as evidence that the compliance process is not operational, which can convert an isolated technical finding into a systemic accountability failure under Art. 5(2).

Remediation

Track a COOKIE_POLICY_UPDATED constant alongside COOKIE_REGISTRY and render it on the policy page. Add updating it to the checklist for any new third-party integration.

// src/lib/cookies/registry.ts
export const COOKIE_POLICY_UPDATED = '2026-04-18' // ISO 8601 — bump with registry changes

// app/cookies/page.tsx
import { COOKIE_POLICY_UPDATED } from '@/lib/cookies/registry'

<p className="text-sm text-gray-500">
  Last updated:{' '}
  {new Date(COOKIE_POLICY_UPDATED).toLocaleDateString('en-GB', {
    day: 'numeric', month: 'long', year: 'numeric',
  })}
</p>

If COOKIE_REGISTRY drives the policy page, the content stays current automatically. The only manual step is bumping COOKIE_POLICY_UPDATED when the registry changes and committing both in the same PR.

Detection

ID: cookie-consent-compliance.cookie-policy.policy-kept-current
Severity: info
What to look for: Compare the cookie policy's listed cookies against the actual cookies set by the application. Look for a "Last updated" date on the cookie policy page. Check the git history or file modification date of the cookie policy page — when was it last updated? If the cookie policy lists cookies that the application no longer sets, or if the application sets cookies not listed in the policy, the policy is stale. If the policy was last updated more than 6 months ago but the application added third-party services since then, flag it. If the cookie registry is generated from the COOKIE_REGISTRY constant (see previous check remediations), this check is inherently satisfied as long as the registry is updated when new services are added.
Pass criteria: Count all cookies currently set by the site and compare against the documented list. Cookie policy has a visible "Last updated" or "Last reviewed" date. Listed cookies match the application's actual cookie inventory (no missing, no orphaned entries). Policy is regenerated or reviewed when new third-party services are added.
Fail criteria: No "Last updated" date on the cookie policy. Cookie policy lists services (Hotjar, Intercom) that the application no longer uses. Cookie policy does not list services (Segment, PostHog) that were recently added. Policy appears to be a boilerplate template never customized to the actual application.
Skip (N/A) when: No cookie policy page exists (already failing at cookie-policy-page).
Detail on fail: Example: "Cookie policy has no 'Last updated' date. Lists Hotjar (_hjid) but Hotjar is not found in package.json or any script tag — appears to be a stale boilerplate. Does not list PostHog which was found in dependencies." or "Cookie policy is an unmodified generator template with placeholder text '[COMPANY NAME]' still present.".

Remediation: If the cookie policy is generated from the COOKIE_REGISTRY constant, add a last-updated display:

// Make the last-updated date the modification date of the registry file
// Or maintain it as a constant:
export const COOKIE_POLICY_UPDATED = '2026-02-01' // update when registry changes

// On the cookie policy page:
<p className="text-sm text-gray-500">
  Last updated:{' '}
  {new Date(COOKIE_POLICY_UPDATED).toLocaleDateString('en-GB', {
    day: 'numeric', month: 'long', year: 'numeric'
  })}
</p>

Add an item to your "new third-party service" checklist: whenever you add a new analytics tool, social pixel, chat widget, or embedded content provider, update COOKIE_REGISTRY and bump COOKIE_POLICY_UPDATED. If the registry drives the cookie policy page automatically, the page content is always current.

External references

gdpr · Art. 13 — GDPR — information provided at collection must remain accurate and current

gdpr · Art. 5(1)(a) — GDPR — transparency principle requires up-to-date disclosure

eprivacy · Art. 5(3) — ePrivacy Directive — consent is only valid for the purposes stated at time of collection; stale policy invalidates consent

Why it matters

Remediation

Track a COOKIE_POLICY_UPDATED constant alongside COOKIE_REGISTRY and render it on the policy page. Add updating it to the checklist for any new third-party integration.

// src/lib/cookies/registry.ts
export const COOKIE_POLICY_UPDATED = '2026-04-18' // ISO 8601 — bump with registry changes

// app/cookies/page.tsx
import { COOKIE_POLICY_UPDATED } from '@/lib/cookies/registry'

<p className="text-sm text-gray-500">
  Last updated:{' '}
  {new Date(COOKIE_POLICY_UPDATED).toLocaleDateString('en-GB', {
    day: 'numeric', month: 'long', year: 'numeric',
  })}
</p>

Detection

ID: cookie-consent-compliance.cookie-policy.policy-kept-current
Severity: info
What to look for: Compare the cookie policy's listed cookies against the actual cookies set by the application. Look for a "Last updated" date on the cookie policy page. Check the git history or file modification date of the cookie policy page — when was it last updated? If the cookie policy lists cookies that the application no longer sets, or if the application sets cookies not listed in the policy, the policy is stale. If the policy was last updated more than 6 months ago but the application added third-party services since then, flag it. If the cookie registry is generated from the COOKIE_REGISTRY constant (see previous check remediations), this check is inherently satisfied as long as the registry is updated when new services are added.
Pass criteria: Count all cookies currently set by the site and compare against the documented list. Cookie policy has a visible "Last updated" or "Last reviewed" date. Listed cookies match the application's actual cookie inventory (no missing, no orphaned entries). Policy is regenerated or reviewed when new third-party services are added.
Fail criteria: No "Last updated" date on the cookie policy. Cookie policy lists services (Hotjar, Intercom) that the application no longer uses. Cookie policy does not list services (Segment, PostHog) that were recently added. Policy appears to be a boilerplate template never customized to the actual application.
Skip (N/A) when: No cookie policy page exists (already failing at cookie-policy-page).
Detail on fail: Example: "Cookie policy has no 'Last updated' date. Lists Hotjar (_hjid) but Hotjar is not found in package.json or any script tag — appears to be a stale boilerplate. Does not list PostHog which was found in dependencies." or "Cookie policy is an unmodified generator template with placeholder text '[COMPANY NAME]' still present.".

Remediation: If the cookie policy is generated from the COOKIE_REGISTRY constant, add a last-updated display:

// Make the last-updated date the modification date of the registry file
// Or maintain it as a constant:
export const COOKIE_POLICY_UPDATED = '2026-02-01' // update when registry changes

// On the cookie policy page:
<p className="text-sm text-gray-500">
  Last updated:{' '}
  {new Date(COOKIE_POLICY_UPDATED).toLocaleDateString('en-GB', {
    day: 'numeric', month: 'long', year: 'numeric'
  })}
</p>

External references

gdpr · Art. 13 — GDPR — information provided at collection must remain accurate and current

gdpr · Art. 5(1)(a) — GDPR — transparency principle requires up-to-date disclosure

eprivacy · Art. 5(3) — ePrivacy Directive — consent is only valid for the purposes stated at time of collection; stale policy invalidates consent

Cookie policy reflects current cookies; updated when cookies change

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Cookie policy reflects current cookies; updated when cookies change

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History